Jill Kamperides

**Name of the Vulnerable Software and Affected Versions** Citrix XenApp version 6.5 **Description** The issue allows a remote unauthenticated attacker to determine whether a user exists on the server when two-factor authentication (2FA) is enabled. This is because the 2FA error page is only displayed after a valid username is entered. The products affected by this issue are no longer supported by the maintainer. **Recommendations** For Citrix XenApp version 6.5, as the product is no longer supported, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Mitel ShoreTel Conference Web Application versions 19.50.1000.0 through versions prior to MiVoice Connect 18.7 SP2 **Description** A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary JavaScript and HTML via the PATH INFO to "home.php". This enables attackers to execute malicious scripts on the client-side, potentially leading to unauthorized actions or data exposure. **Recommendations** For versions 19.50.1000.0 through versions prior to MiVoice Connect 18.7 SP2, update to MiVoice Connect 18.7 SP2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "home.php" endpoint to minimize the risk of exploitation.